The California Privacy Rights Act (CPRA) is a newly passed data privacy bill that will amend and expand an existing privacy law, the California Consumer Privacy Act . CPRA recommends enhancing consumer privacy by strengthening business rights and responsibilities to consumers.You must be wondering w

The California Privacy Rights Act (CPRA) is a newly passed data privacy bill that will amend and expand an existing privacy law, the California Consumer Privacy Act . CPRA recommends enhancing consumer privacy by strengthening business rights and responsibilities to consumers.

You must be wondering what all this means for your business and privacy regulations in California and beyond. This guide will discuss everything you should know about CPRA and how to comply with it.

Table of contents

• What is the California Privacy Act?

• History of CPRA

• Why pass CPRA?

• CPRA Timeline

• Who needs to comply with the CPRA?

• What new rules will the CPRA introduce?

• What happens if you don't comply with the CPRA?

• How to comply with CPRA?

• in conclusion

What is the California Privacy Act?

The California Privacy Act , also known as Proposition 24 , is a new data privacy bill approved by a majority of voters during the November 3, 2020 general election. The Act aims to:

• Strengthen the rights of California citizens.

• Tighten business regulations on the use of users' personal information (PI).

• Creation of the California Privacy Protection Agency (CPPA), a new government agency responsible for statewide data privacy enforcement, and more.

The Act will take effect on July 21, 2023, and will apply to all consumer data collected on or after January 1, 2022.

History of CPRA

CPRA was initiated by Alastair Mactaggart , a real estate developer who later became the founder of a California consumer privacy advocacy group. He has made efforts through his advocacy group and has come up with a ballot initiative called the California Privacy Act.

Alastair's  take: "With the passage of the California Consumer Privacy Act, we have laid a historic foundation for consumer rights in California, and now is the time to seize the momentum and take the next step in enforcing and expanding the law to follow. An industry that is changing at an alarming rate", "that's why we're launching a new initiative that will further protect our most personal information, increase fines for violations of children's privacy, increase transparency and most importantly , to build a law enforcement agency that really thinks about consumers.”

As required by state law, Attorney General Xavier Becerra issued the CPRA's title and abstract.

Why pass CPRA?

Passing the CPRA is to enhance the privacy of California citizens and to establish a transparent exchange of information between your business and consumers. CPRA will give California citizens the following rights:

• Control and restrict a business's use of its personal and sensitive personal information.

• Correct, delete and transfer their personal information.

• Find out how long businesses will use their data.

• Businesses are held accountable if they fail to comply with CPRA regulations.

• Protecting their privacy interests even as employees and independent contractors.

CPRA Timeline

You must have thought the CPRA would be implemented in 2023, but the one-year lookback clause from January 1, 2022 changed everything.

What does it mean?

Under the CPRA, consumers will have access to all the data you collect about them starting January 1, 2022. If they request, you must provide all of their data, including the categories of vendors and service providers they work with Beginning January 1, 2023, you have shared data.

This means you need to start collecting data the right way from January 1, 2022, even if CPRA won't apply to your business until 2023.

For example, if someone asks for data for 2028, you must provide all information about them that was collected starting January 1, 2022.

Who needs to comply with the CPRA?

The CPRA will be more targeted at larger businesses that meet the following criteria:

• Total annual revenue is over $25 million.

• 50% or more of its annual revenue comes from selling or sharing consumers' personal information.

• Every year the personal information of more than 100,000 consumers or households is bought, sold or shared.

Important: Even if your business is not physically or legally located in California, it is still subject to CPRA if you have users or conduct business in that state.

What new rules will the CPRA introduce?

The CPRA will introduce a number of new and revised regulations to protect the privacy of Californians from corporations. The main provisions are as follows:

Introduce three new rights

CPRA will introduce three new rights for California residents as follows:

1. Right to Correction of Inaccurate Information.

This means that if users find that their PI and SPI are incorrect, they can request a correction.

2. Right to Opt Out and Know About Automated Decision Making.

This means California residents will have the right to opt out of automated decision-making technologies, including analytics. Analytics include data related to consumers' economic status, health, personal preferences, interests, work preferences, behavior, location, activities, and more.

3. Right to Restrict Sensitive Personal Information

This means California residents can ask businesses to limit their use of this separate category of personal data, especially when it is shared with third parties. Sensitive information includes:

• Data on race and ethnicity.

• Religious, political and philosophical beliefs or trade union membership.

• Data about sex life or sexual orientation.

• genetic data.

• Health data, sex life or sexual orientation.

• Precise geographic location.

• Social Security number and driver's license, state ID or passport number.

• Account login, financial account, debit or credit card numbers, and any required security or access codes, passwords, or credentials that allow access to the account.

• The content of consumer mail, emails, and text messages (if the business is not the intended recipient of the communication).

• Process biometric information to uniquely identify consumers.

Modification of five existing CCPA rights

CPRA will amend the following rights:

1. Right to erasure

CPRA has expanded California residents' right to request deletion of personal information, and businesses must now notify their third parties to delete that information as well.

However, the right to erasure does not require companies to delete personal data when:

• If the business/service provider needs this information to complete the sale.

• Regarding data security incidents.

• To prevent malicious, deceptive, fraudulent or illegal activities.

• Exercise freedom of speech.

2. Right to know

Under the CCPA, consumers can request details about personal information collected in the previous year, but the CPRA extends this window beyond 12 months in certain circumstances.

3. Right to Opt-Out

Under the CCPA, consumers can only opt out of businesses that do not sell their data. However, under the CPRA, California residents can now opt out of companies that share their PI exclusively with third parties for behavioral advertising.

4. The rights of minors

Under the CCPA, organizations require opt-in consent to the sale of data owned by persons under the age of 16. However, the CPRA now requires businesses to wait 12 months after an opt-in request is denied before requesting permission again.

5. Right to data transfer

Under the CCPA, citizens have the right to request copies of their personal information from companies. However, the CPRA extends this right to allow consumers to request a copy of their data in a commonly used machine-readable format for easy transfer to another organization.

CPRA introduces new consent criteria

CPRA extends CCPA's current consent requirements by including:

• Consent to sell or share PI and SPI after users (including minors) opt out.

• Consent to the use of consumer data for research purposes.

• Agree to choose economic incentives.

CPRA regulates behavioral advertising

The CCPA gives users the right to opt out of the sale and sharing of personal information for advertising purposes in exchange for money.

However, the CPRA classifies ads into two distinct types: cross-context ads and non-personalized ads.

● Cross-context ads

• It involves targeting consumers based on personal information they have not knowingly interacted with.

• Users have the right to opt out of such advertisements.

Users can ask merchants to stop sharing their PI with third parties to avoid advertising based on data about their behavior (such as searches, browsers, purchase history, device settings, etc.).

● Non-personalized ads

• It involves advertising based solely on PIs derived from consumers' current interactions with businesses, excluding their precise geographic location.

• CPRA does not allow users to opt out of this type of advertising as it is considered important to running the business.

Established the California Privacy Shield

The bill would create a new dedicated privacy agency, the California Privacy Protection Agency (CPPA) , to oversee and handle all enforcement efforts.

Governors:  The CPPA will be governed by a five-member committee appointed by the Governor, the Attorney General, the Senate Rules Committee and the Speaker of the House.

All of these appointees must have expertise in client rights, privacy, technology and (with some limitations to help ensure they are protected from outside influence).

The role of the CPPA: It will regulate and oversee the CCPA and CPRA. CPPA will have the power to investigate and discover any violations.

CPRA introduces GDPR-like requirements

The CPRA introduces three additional requirements for businesses formed closely after the EU GDPR regime :

• data minimization

• Purpose limitation

• storage limit

data minimization

Under the CPRA, a website or business can only collect, use, and share Californians’ PI for the stated collection goals.

Purpose limitation

Organizations may not collect, use, or share Californians’ PI for different or new purposes without prior reporting. Additionally, organizations cannot use, manage, or share information without stating their intent.

storage limit

The website or business will need to notify (at the point of collection) California residents how long the personal information they collect will be retained. It gives users the right to know how long their data will be stored after it is collected.

CPRA requires businesses to add link on their website to register data sharing preferences

CPRA provides guidelines for businesses to ensure consumers can opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information. To do this, businesses must include a link on their website titled "Restrict Use of My Sensitive Personal Information" to enable California residents to restrict use and disclosure.

What happens if you don't comply with the CPRA?

If you violate the CPRA, you will be subject to the following penalties:

• Administrative fines may not exceed $2,500 per violation.

• The fine is $7,500 for willful violations involving the personal information of consumers under the age of 16.

How to comply with CPRA?

In order to comply with the CPRA, we strongly recommend that you do the following:

• Organizing third-party data

CPRA expands third-party data protection. You will need to audit your suppliers and partners and ensure that all data is securely shared, managed and stored. In addition, the process has been simplified to handle user requests for corrections, deletions or transfers.

• Create user data lists

Since the CPRA takes the consumer's SPI very seriously, you must ensure that every piece of data, such as demographics, geography, employment data, etc., is counted starting January 1, 2022. So it will be critical to collate and attach all this information to the correct user under CPRA.

• Tag and differentiate your data

You should label SPIs to distinguish them from non-sensitive personal information. It will help you decide whether to use an opt-out request or a request to restrict the use of sensitive data.

If you have marked personal information, you can distinguish SPI from other information. Also, if you're already GDPR compliant, chances are you've already identified most of the SPIs.

• Update consent and opt-in forms

Use consent and opt-in forms to confirm consumers' permission to use, store or share their data. Additionally, improve opt-in and consent forms on your website, email and other digital channels.

• Implement powerful data processing systems

With the implementation of CPRA, there will undoubtedly be more consumers requesting deletion, transfer or updating of their data. Therefore, you will need robust processes, people, and technology to handle these requests smoothly.

• Change your data retention schedule

Change your data retention privacy policy so that "keep everything for 12 months" to "keep everything forever as long as you're still using it".

in conclusion

With digitization, laws such as the CPRA play a vital role in ensuring the safety and security of consumers’ personal data and the use of data by businesses in the most transparent and sensible way possible.

CPRA will change the way you do business, and by following the guidelines above, you can ensure you don't violate them and maintain a healthy relationship with your users.